Listen to this Post
The vulnerability (CVE-2023-49569) resides in how the `go-git` library, which uses `go-billy` for filesystem abstraction, processes symbolic links when handling untrusted repository data. The core issue is a lack of depth and cycle detection during symlink resolution within a chroot-like environment (the ChrootOS).
When `go-git` clones a repository using functions like PlainClone, it creates a virtual filesystem rooted in a specific directory (e.g., the worktree root) using go-billy‘s ChrootOS. The `go-billy` utility functions, like SecureJoin, are responsible for resolving paths that contain `..` components or symlinks while ensuring the final path does not escape the root. However, versions prior to the fix did not have adequate safeguards against malicious symlinks.
An attacker can craft a Git repository containing a structure of deeply nested symlinks or symlink cycles (e.g., a symlink that points to a symlink that points back to itself). When `go-git` attempts to read or process a file via a path that includes such a symlink chain, the path resolution logic enters an infinite loop or uncontrolled recursion. The lack of a recursion limit and missing cycle detection causes the resolver to follow links indefinitely. This leads to a denial-of-service (DoS) condition as the process hangs, consuming 100% CPU and potentially exhausting memory resources, ultimately crashing the application. The issue is specific to the `ChrootOS` filesystem wrapper, which is the default for “Plain” operations and is widely used for sandboxing.
DailyCVE Form:
Platform: go-git / go-billy
Version: Prior to v5.11
Vulnerability : Path Traversal / Symlink Following
Severity: Critical
date: 2024-01-10
Prediction: Patch available (v5.11.0)
What Undercode Say:
Analytics show a high risk of exploitation in CI/CD pipelines and Git clients using vulnerable `go-git` versions. Attackers can trigger resource exhaustion (CPU/memory) by pushing a crafted repository, leading to a denial-of-service on the target system. The vulnerable module is widely used, making this a significant supply chain risk. A simple mitigation is to limit `go-git` usage to trusted Git servers until an upgrade is possible.
Check if your project uses a vulnerable version of go-git.
grep "github.com/go-git/go-git/v5" go.mod | grep -E 'v5.[0-9]+.[0-9]+' | awk '{print $2}' | while read -r v; do if [[ "$v" < "v5.11.0" ]]; then echo "Vulnerable version $v found. Upgrade to v5.11.0 or higher."; fi; done
Exploit:
A repository with a symlink cycle (e.g., `a -> b` and b -> a) placed within a path accessed by `go-git` will cause an infinite loop in the path resolver. The process will hang, consuming 100% CPU until it is killed or the system runs out of memory.
Protection from this CVE
Upgrade `go-git` to version v5.11.0 or later. If an immediate upgrade is not possible, limit usage of `go-git` to only trust-worthy Git servers. Avoid using `Plain` versions of `Open` and `Clone` functions (PlainClone, PlainOpen) on untrusted repositories.
Impact:
Successful exploitation leads to a denial-of-service (DoS) condition, making the application or service unresponsive. In CI/CD pipelines, this could block deployments or cause build failures. As a path traversal vulnerability, it can also allow an attacker to read arbitrary files on the host system or, in worst-case scenarios, achieve remote code execution.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

